The Environmental Protection Agency has yet to fully implement information security across the agency and has failed to adequately keep track of agency-issued IT property, such as laptops and cellphones, exposing the agency to fraud and abuse, according to two May 2018 reports issued by the EPA Office of Inspector General.

A May 8 report on EPA management challenges found that the EPA’s failure to properly verify contractor training and backgrounds, inability to implement up-to-date hardware inventory, and insufficient emphasis by management to resolve audit findings have contributed to challenges in overall information security.

“The EPA continues to face a management challenge in implementing a vigorous cybersecurity program that strengthens its network defenses and data security in a time of ever-increasing threats to federal government networks,” the report said.

Information security has been a management problem for the EPA since 2001, according to the report. And while the agency has taken actions to address the cybersecurity recommendations made in past reports, the OIG called for more work to be done.

“Current audit work continues to note that the EPA lacked a holistic approach to managing accountability over its contractors and ensuring personnel responsible for overseeing contractors were aware of their responsibilities,” the report said.

To warrant removal from the management challenges report, the agency will have to demonstrate to leadership commitment, monitor progress and demonstrate improvements in cybersecurity.

A second May 9 report found that the EPA has also failed to keep up with processes for managing IT property given to its employees.

The report found that the EPA’s Region Five — which includes Illinois, Indiana, Michigan, Minnesota, Ohio and Wisconsin — lacked guidance and policy for tracking agency IT, and excess IT was not always tracked or recorded.

The agency as a whole also failed to establish guidance for excess IT property. Employees were often unaware of the proper procedures and systems for tracking IT, and responsibility for property management was left to employees outside of management roles.

“Our review of the management of IT property by additional EPA organizations beyond Region 5 — specifically, [the Office of Water] and Region 2 — noted concerns that lead us to believe that [Office of Administration and Resources] management needs to strengthen its role as the EPA’s property manager,” the report said.

“OARM has not consistently communicated or enforced requirements covering EPA IT property management or provided agency tools in a timely manner to support [property custodial officers] in tracking IT property.”

The report called for the agency to establish and update its IT management practices and better inform employees of their requirements under those practices.